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DETAILED ACTION 
Response to Amendment 

1 . Pre- Appeal conference has been held on December 14, 2006 with Lee, Eddie and 
Moazzami, Nasser. In view of the conference the examiner hereby reopens the Office action. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1-29 have been considered but are moot in 
view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

3. Claims 1-4, 6-13, 15-22, and 24-29 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Schertz et al. (Schertz, Pub. No.: US 2003/0084322 Al) in view of Brook et 
al. USPN 7,036,148 B2. 

As per claims 1,10, and 19, Schertz teaches a computer program product/method/apparatus for 
controlling a managing computer to manage malware protection within a computer network 
containing a plurality of network connected computers, said computer program product 
comprising: 

receiving code operable to receive at said managing computer a plurality of log data 
messages identifying detection of malware by respective ones of said plurality of network 
connected computers (page 4 par. 0030 lines 9-10, and page 3 par. 0022 lines 8-10); 
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detecting code operable to detect from said plurality of log data messages received by 
said managing computer a pattern and a network-wide (par. 0021, 0023, 0018, 0003, and par. 
0018 of Schertz discloses: virus intrusion detecting/monitoring/scanning of ALL devices on a 
network network-wide, network-based virus intrusion detection system typically monitors all 
network activity and network traffic, Network-based virus intrusion protection systems analyze 
data inbound from the internet and collects network packets to compare against a database of 
various known attack signatures or bit patterns) of malware detection across said plurality of 
network connected computers matching one or more predetermined trigger (page 4 par. 0030 
lines 9-21, page 3 par. 0021 lines 10-18, and par. 0023 lines 12-18); and 

action performing code operable in response to detection of one or more predetermined 
trigger patterns to perform one or more predetermined anti-malware actions (page 4 par. 0030 
lines 16-21, and page 3 par. 0020 lines 14-25). 

Schertz fails to disclose a threshold malware detection; and 

the network-wide threshold being applied to a sum of detections each being associated 
with a different one of the network connected computers. 

However Brook et al. discloses threshold malware detection in a network-wide across 
said plurality of network connected computers matching one or more predetermined trigger (see 
col. 2 lines 21-55, col. 4 lines 7-col. 5 lines 36, and col. 3 lines 12-30); and 

the network-wide threshold being applied to a sum of detections each being associated 
with a different one of the network connected computers (col. 3 lines 12-30, and col. 4 lines 7- 
col. 5 lines 57). 
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It would have been obvious to one having ordinary skill in the art at the time of the 
invention was made to employ the teachings of Brook et al. within the system of Schertz because 
they are analogous in intrusion detection. One would have been motivated to incorporate the 
teachings of Brook et al. because it would provide an efficient detection of intrusion by setting 
rules like frequency-of-occurrence stipulations, and count-reset instructions associated with a 
signature. 

As per claims 2, 1 1 5 and 20, Schertz further teaches a computer program 
product/method/apparatus, wherein said plurality of network connected computers each have a 
malware scanner that serves to scan computer files to detected malware within said computer 
files (page 4 par. 0031 lines 1-3). 

As per claims 3, 12, and 21, Schertz teaches a computer program product/method/apparatus, 
wherein said malware scanner uses malware definition data to identify malware to be detected 
(page 4 par. 0031 lines 1-3, and fig. 1 No. 16). 

As per claims 4, 13, and 22, Brook et al. further teaches a computer program 
product/method/apparatus, wherein said one or more predetermined anti-malware actions include 
forcing an update of malware definition data being used by one or more of said plurality of 
network connected computers (fig. 5 and col. 5 lines 59-col. 6 lines 34). It would have been 
obvious to combine the teachings of Brook within the system of Schertz because it would keep 
the detection device current. 
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As per claims 6, 15, and 24, Schertz teaches a computer program product/method/apparatus, 
wherein said one or more predetermined anti-malware actions include isolating one of more of 
said network connected computers from other parts of said computer network (page 4 par. 003 1 
lines 17-24 and page 3 par. 0020 lines 14-17). 

As per claims 7, 16, and 25, Schertz teaches a computer program product/method/apparatus, 
wherein said managing computer stores said plurality of log data messages within a database 
(fig. 2 No. 80A and 81 A and par. 0021 lines 15-18). 

As per claims 8, 17, and 26, Schertz teaches a computer program product/method/apparatus, 
wherein said detecting code is operable to query said database (page 18 lines 7-10). 

As per claims 9, 18, and 27, Schertz teaches a computer program product/method/apparatus, 
wherein said database includes data identifying one or more of: 

malware protection mechanisms used by respective network connected computers (page 
2 par. 0016 lines 14-17); 

versions of malware protection computer programs used by respective network connected 
computers (page 4 par. 0031 lines 1-3, and fig. 1 No. 16); 

versions of malware definition data used by respective network connected computers 
(page 4 par. 0031 lines 1-3, and fig. 1 No. 16); and 
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security settings of malware protection mechanisms used by respective network 
connected computers (page 2 par. 0016 lines 14-17). 

As per claim 28, Schertz discloses a program stored on a computer-readable medium as claimed 
in claim 1, wherein predefined network-wide thresholds and patterns are provided as templates 
(0021 lines 15-18; network-wide patterns are provided as a template). 

As per claim 29, Schertz discloses a program stored on a computer-readable medium as claimed 
in claim 1 , wherein predefined network-wide thresholds and patters are customized to particular 
circumstances (0021; customized to ... detecting, comparing circumstances ...) 

4. Claims 5, 14, and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Schertz et al. (Schertz, Pub. No.: US 2003/0084322 Al) and Brook et al. USPN 7,036,148 B2 in 
view of Chen et al. (Chen, Patent Number: 5,832,208). 

As per claims 5, 14, and 23, Schertz teaches all the subject matter as described above. 
Schertz does not explicitly teach altering the scanner setting when malware is detected. 
However Chen teaches a computer program product/method/apparatus, wherein said one or more 
predetermined anti-malware actions include altering at least one scanner setting of at least one 
malware scanner such that said malware scanner performs more thorough malware scanning 
(Chen Fig. 3 No. 260; performing more thorough virus scanning after virus is detected). 
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Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to employ the teachings of Chen within the combination system of 
Schertz and Brook et al. because it would scan the entire email/data to detect more virus if any. 



5. Claims 1-4, 6-13, 15-22, and 24-29 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Chefalas et al. US PG PUBS 2002/01 16639 Al. 

As per claims 1,10, and 19, Chefalas teaches a computer program product/method/apparatus for 
controlling a managing computer to manage malware protection within a computer network 
containing a plurality of network connected computers (fig. 1 and claim 29), said computer 
program product comprising: 

receiving code operable to receive at said managing computer a plurality of log data 
messages identifying detection of malware by respective ones of said plurality of network 
connected computers (0027, and 0057-0058; identified malware detections are received at the 
server 106 from plurality of client devices over the networks) ', 

detecting code operable to detect from said plurality of log data messages received (0012, 
fig. 4A-B, and fig. 5A-B; detecting at users computers and received at the server) by said 
managing computer a pattern and a network- wide of malware detection across said plurality of 
network connected computers matching one or more predetermined trigger, (001 2, fig. 4A-B, 
and fig. 5A-B; multiple patterns are detected and transmitted to the server network-wide 
threshold) the detections each being associated with a different one of the network connected 
computers (fig. 1 and 0022); and 
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action performing code operable in response to detection of one or more predetermined 
trigger patterns to perform one or more predetermined anti-malware actions (0012 and fig. 8 
element 804). 

Chefalas et al. fails to disclose threshold of malware detection; and 
the threshold being applied to sum of detections. 

However Brook et al. discloses a threshold of malware detection across said plurality of 
network connected computers matching one or more predetermined trigger (see col. 2 lines 21- 
55, and col. 3 lines 12-30, and col. 4 lines 7-col. 5 lines 36); and 

the threshold being applied to sum of detections, the detections each being associated 
with a different one of the network connected computers (col. 3 lines 12-30, and col. 4 lines 7- 
col. 5 lines 57). 

It would have been obvious to one having ordinary skill in the art at the time of the 
invention was made to employ the teachings of Brook et al. within the system of Chefalas et al. 
because they are analogous in intrusion detection. One would have been motivated to incorporate 
the teachings of Brook et al. because it would provide an efficient detection of intrusion by 
setting rules like frequency-of-occurrence stipulations, and count-reset instructions associated 
with a signature. 

As per claims 2, 1 1, and 20, Chefalas et al. further teaches a computer program 
product/method/apparatus, wherein said plurality of network connected computers each have a 
malware scanner that serves to scan computer files to detected malware within said computer 
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As per claims 3, 12, and 21, Chefalas et al. teaches a computer program 
product/method/apparatus, wherein said malware scanner uses malware definition data to 
identify malware to be detected (fig. 4A, and Fig. 5 A; virus names A-F). 

As per claims 4, 13, and 22, Brook et al. further teaches a computer program 
product/method/apparatus, wherein said one or more predetermined anti-malware actions include 
forcing an update of malware definition data being used by one or more of said plurality of 
network connected computers (fig. 5 and col. 5 lines 59-col. 6 lines 34). It would have been 
obvious to combine the teachings of Brook within the system of Chefalas et al. because it would 
keep the detection device current. 

As per claims 6, 15, and 24, Chefalas et al. teaches a computer program 

product/method/apparatus, wherein said one or more predetermined anti-malware actions include 
isolating one of more of said network connected computers from other parts of said computer 
network (fig. 6 element 606 and fig. 7 element 706). 

As per claims 7, 16, and 25, Chefalas et al. teaches a computer program 
product/method/apparatus, wherein said managing computer stores said plurality of log data 
messages within a database (fig. 5A). 
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As per claims 8, 17, and 26, Chefalas et al. teaches a computer program 

product/method/apparatus, wherein said detecting code is operable to query said database (0048). 

As per claims 9, 18, and 27, Chefalas et al. teaches a computer program 
product/method/apparatus, wherein said database includes data identifying one or more of: 
malware protection mechanisms used by respective network connected computers 

(0048); 

versions of malware protection computer programs used by respective network connected 
computers (fig. 5A); 

versions of malware definition data used by respective network connected computers (fig. 
5A); and 

security settings of malware protection mechanisms used by respective network 
connected computers (fig. 8 element 804, and 0012). 

As per claim 28, Brook et al. discloses a program stored on a computer-readable medium as 
claimed in claim 1, wherein predefined network-wide thresholds and patterns are provided as 
templates (fig. 3 elements 301B-304B and 301D-304D). It would have been obvious to one 
having ordinary skill in the art at the time of the invention was made to employ the teachings of 
Brook et al. within the combination system because it would detect intrusion based on known 
signature and threshold values /rules so it would enhance the detection system. 
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As per claim 29, Brook et al. discloses a program stored on a computer-readable medium as 
claimed in claim 1, wherein predefined network-wide thresholds and patters are customized to 
particular circumstances (col. 4 lines 7-col. 5 lines 58). The rational for combining are the same 
as claim 28 above. 

6. Claims 5 5 14, and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Chefalas et al. US PG PUBS 2002/01 16639 Al, and Brook et al. USPN 7,036,148 B2, and in 
view of Chen et al. (Chen, Patent Number: 5,832,208). 

As per claims 5, 14, and 23, Chefalas et al. teaches all the subject matter as described above. 
Chefalas does not explicitly teach altering the scanner setting when malware is detected. 
However Chen teaches a computer program product/method/apparatus, wherein said one or more 
predetermined anti-malware actions include altering at least one scanner setting of at least one 
malware scanner such that said malware scanner performs more thorough malware scanning 
(Chen Fig. 3 No. 260; performing more thorough virus scanning after virus is detected). 
Therefore it would have been obvious to one having ordinary skill in the art at the time of the 
invention was made to employ the teachings of Chen within the combination system of Chefalas 
and Brook et al. because it would scan the entire email/data to detect more virus if any. 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. US 2004/0230840 Al Radatti: discloses viruses, Trojan, horses, worms, and etc.. 
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detection over a network. Receiving and detecting all data streams that pass from an external 
network, through the transport layer of an operating system to the user application or fro the 
user application to the transport layer. 

US 2004/0088570 Al Roberts et al. discloses internet data malware scanning. 
US 2003/0177397 Al Samman discloses network environment virus detection and 
protection. 

US 2003/0023866 Al Hinchliffe et al. discloses centrally managed malware 
scanning and detecting method. 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Eleni A. Shiferaw whose telephone number is 571-272-3867. 
The examiner can normally be reached on Mon-Fri 8:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser R. Moazzami can be reached on (571) 272-4195. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 



applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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